Product Reviews & Releases

SonicOS 3.9.0.1, the newest release for the TZ 180 and TZ 190 Series, improves Deep Packet Inspection (DPI) performance by up to 4x and provides increased security through the next generation of SonicWALL's patented "Reassembly Free Deep Packet Inspection" (RF-DPI) security technology. The latest generation RF-DPI security engine features components of SonicWALL's Application Firewall technology and other significant technological enhancements including dynamic deep content intelligence and real-time dynamic threat analysis. SonicOS Standard and Enhanced 3.9.0.1 are available for download now on MySonicWALL to customers with an active support contract.

Learn more about SonicOS 3.9.0.1, which is now up to 4x faster:
SonicOS Enhanced 3.9.0.1 Release Notes
SonicOS Enhanced 3.9 Administrator’s Guide
SonicOS Standard 3.9 Administrator’s Guide

In the March 7 issue of SC Magazine, the SonicWALL E-Class NSA E6500 received FIVE STARS. Here is a brief excerpt:

"...The E-Class appliance is designed with the large enterprise in mind. This product features not only an advanced application firewall and a VPN, but it also includes a full threat protection suite. This suite brings together features such as gateway anti-virus, anti-spyware and an IPS that protects against viruses, spyware, worms, trojans, software vulnerabilities and other malicious code, as well as a web URL and content filter. We were especially impressed with its feature set. This product was simple to use straight from the box..."  Read more >>

 

With more employees, partners and customers connected over a more widely-distributed and mobile enterprise, there is greater demand for a single, centrally-managed gateway to control access to network resources. SonicWALL Aventail SSL VPNs provide complete application access with full security, control of the end point and unified policy management. Easy to use and control, SonicWALL Aventail SSL VPNs increase productivity by providing employees and partners with secure, clientless access to the resources they need from any device, anywhere, with unmatched security. SonicWALL Aventail SSL VPNs also lower total cost of ownership (TCO) by eliminating difficult IPSec VPN deployments and constant support calls.

SonicWALL® Anti-Spam Desktop delivers client-based anti-spam, anti-phishing protection for Outlook or Outlook Express e-mail clients on Windows-based desktops or laptops. With SonicWALL Anti-Spam Desktop, e-mail once again becomes a tool to enhance productivity—instead of a source of user frustration and administrative dread. SonicWALL has engineered costs out of Anti-Spam Desktop to deliver affordable world-class e-mail protection.

Blocks Spam and Phishing Email

When SonicWALL Anti-Spam Desktop is installed on a Windows-based system it acts as a plug-in to Outlook or Outlook Express. Anti-Spam Desktop evaluates e-mail arriving via Exchange, POP, or IMAP to the Outlook or Outlook Express system, and prevents spam and phishing e-mail from reaching the Inbox.

Supported Platforms

SonicWALL currently supports the following platform/email client combinations for Anti-Spam Desktop. While Anti-Spam Desktop may operate on other platform/e-mail client combinations, such combinations are NOT supported.

• Windows Vista (32-bit): Outlook 2003 and 2007 (the Winmail e-mail client on Vista is not supported at this time)
• Windows XP: Outlook 2003 and 2007, Outlook Express 6.0
• Windows 2000: Outlook 2002 and 2003, Outlook Express 6.0

How SonicWALL Anti-Spam Desktop Works

Once installed, SonicWALL Anti-Spam Desktop will start each time the Outlook or Outlook Express e-mail client is started. Anti-Spam Desktop evaluates e-mail as it arrives, placing spam e-mail in the Junk Mail folder, phishing e-mail in Phishing Mail folder, and legitimate e-mail in the Inbox. With the Challenge/Response option, challenged e-mail will be placed in the Challenged Mail folder.

If a spam message does get delivered to the Inbox, users simply highlight the message and select the “Junk” button to remove it from the Inbox. This also adds the sender to a blocked list so that future e-mail from this sender is blocked as spam. Should a legitimate e-mail unintentionally be placed in Junk Mail folder, the user may simply highlight the message and select the “Unjunk button. This action will also add the sender to an allowed list so that future e-mail from that person is delivered correctly.

Learn More »

Article By: Craig Langley, CSSA, and Director of Technical Operations

Hardware Failover Prevents Firewall and Network Downtime

Hardware Failover (HF) allows two identical SonicWALL PRO Series security appliances running SonicOS Enhanced to be configured to provide a reliable, continuous connection to the public Internet. In the event of the failure of the Primary SonicWALL, the Backup Firewall takes over to maintain a reliable connection between the protected network and the Internet.

How Hardware Failover Works

Hardware Failover requires one SonicWALL device configured as the Primary SonicWALL, and an identical SonicWALL device configured as the Backup SonicWALL. During normal operation, the Primary SonicWALL is in an Active state and the Backup SonicWALL in an Idle state. When a failure on the Primary SonicWALL occurs, the Backup SonicWALL transitions to Active mode and assumes the configuration and role of Primary. The failover applies to loss of functionality or network-layer connectivity on the Primary SonicWALL. SonicWALL security appliance configuration is performed on only the Primary SonicWALL, with no need to perform any configuration on the Backup SonicWALL. The Backup SonicWALL contains a real-time mirrored configuration of the Primary SonicWALL via a dedicated Ethernet link. If the firmware configuration becomes corrupted on the Primary SonicWALL, the Backup SonicWALL automatically refreshes the Primary SonicWALL with the last-known-good copy of the configuration preferences. The Primary and Backup SonicWALL appliances have unique MAC addresses and communicate via the X3 interface on the PRO 2040 series. The dedicated HF interface link transmits all synchronization information from the Primary SonicWALL to the Backup SonicWALL. There are two types of synchronization: incremental and complete. If the timestamps are in sync and a change is made on the Active unit, an incremental sync is pushed to the Idle unit. If the timestamps are out of sync and the Idle unit is available, a complete sync is pushed to the Idle unit. When incremental synchronization fails, a complete synchronization is automatically attempted.

In practice, the switchover from Primary to Secondary is barely perceptible by network users, and VPN connections are maintained. The failover detection mechanism is configurable, and is based on the number of missed heartbeats, IP probe failure, or both. Failover for inbound traffic (Web, FTP, Mail, etc.) can be provided by creating NAT policies for both WAN subnets, as long as the DNS entries are pointing to both WAN IPs (Load Balancing). More and more ISPs support “Fast Flux” DNS to provide primary and secondary DNS paths, or the rapid switching in the event of failover.

The LAN, WAN, and DMZ Zones on both firewalls share the same Ethernet switch, so provisions must be made to have separate switches for each Zone, or a single switch segmented to provide isolation between Zones.

Crash Detection

The Hardware Failover feature has a thorough self-diagnostic mechanism for both the Primary and Backup SonicWALL security appliances. The failover to the Backup SonicWALL occurs when critical services are affected, physical (or logical) link detection is detected on monitored interfaces, or when the SonicWALL loses power. The self-checking mechanism is managed by software diagnostics, which check the complete system integrity of the SonicWALL device. The diagnostics check internal system status, system process status, and both internal and external network connectivity. For example, if a network topology has three levels, then diagnostics are performed on the router/switch/hub connectivity on the first, second, and third level. There is a weighting mechanism on both sides to decide which side has better connectivity, used to avoid potential failover looping. Critical internal system processes such as NAT, VPN, and DHCP (among others) are checked in real time. The failing service is isolated as early as possible, and the failover mechanism repairs it automatically.

License Sharing Makes HF Affordable

Two identical firewalls with Support and SonicOS Enhanced Licenses are required to deploy HA. The two firewalls need to be Associated Products via their registration at www.mysonicwall.com .

 

SonicWALL’s SSL-VPN devices are standalone boxes that sit on your network and manage remote access to your systems. Unlike conventional IPSEC VPNs, SSL-VPNs require no client software on the remote user’s computer. Secure, high encryption access is achieved using only a standard web browser. After authentication, the SSL-VPN device automatically provides the “client” to the remote browser during the session and removes all traces of it when the session is ended. This means that secure access to the network can be assured even over a public machine whether from a public library workstation or a mobile notebook computer using a public hotspot.

 

The key to sizing which device is appropriate for your situation is primarily defined by the size of your network and the number of concurrent remote users needed. While these devices have no actual licensing restrictions, they do have recommended maximums for performance considerations as reflected in the list below:

 

SSL-VPN 200 Recommended for organizations with 50 or fewer employees

Concurrent User License: Unrestricted

Recommended Maximum Concurrent Users: 10

--------------------------

SSL-VPN 2000 Recommended for organizations with 500 or fewer employees

Concurrent User License: Unrestricted

Recommended Maximum Concurrent Users: 50

--------------------------

SSL-VPN 4000 Recommended for organizations with 500 or more employees

Concurrent User License: Unrestricted

Recommended Maximum Concurrent Users: 200

--------------------------

 

More detailed specification information can be found at:

http://www.firewalls.com/docs/DS_SSL-VPN_US_1206.pdf .

 

Pricing and other comparison information can be found at: http://www.firewalls.com/productcart/pc/viewCategories.asp?idCategory=4

 

Remote Connection Process:

 

Incoming HTTPS traffic is seamlessly forwarded by the TZ or PRO Series firewall to the SSL-VPN

appliance which decrypts and authenticates network traffic.

 

Users are authenticated using the onboard database or through third-party authentication methods

such as RSA,* Vasco, RADIUS, LDAP, Microsoft Active Directory or Windows NT Domain.

*RSA authentication available only on the SSL-VPN 2000 and 4000

 

A personalized Web portal provides access to only those resources that the user is authorized to view based on company policies.

 

Traffic is passed back to the PRO or TZ Series firewall where it is fully inspected for viruses, worms, Trojans, spyware and other sophisticated threats by the SonicWALL Unified Threat Management solution.

 

If you wish to speak to someone about your particular situation, contact our Technical Sales staff at 866-469-9255, Option #1.

 

 

 

About Todd

Director of Technical Sales for Dreaming Tree Technology, Inc. I have more than 8 of experience in the IT Consulting and network implementation.

The SonicWall PRO 2040 is easily the most powerful—and complex—of the units we tested. Our test unit had a capacity of 150 simultaneous VPN tunnels, 50-Mbps VPN capacity, and 50 internal devices, not to mention intricate controls over the VPN and security policies. The PRO 2040 needs experienced IT people to operate it, but in return it can manage the security needs of a fairly complex organization.

Key to the PRO 2040's architecture are zones, a security concept in the SonicOS operating system. The idea of zones is to give different levels of privileges to different internal users by varying their access to the different interfaces (X0, X1, and so on). Zones are another example of how the PRO 2040 is more powerful and complicated than the other products in this review. With just four interfaces, zones might be overkill. Still, they're a convenient way to manage security, and the planned growth of features in the product might make zones necessary at some point.

There is also very good control over NAT policies, through which the administrator can control address translation to a far greater degree than the usual one-to-many mapping capability. For instance, we could map one external address to one specific internal address, which is handy for keeping publicly accessible servers on the internal network. It's also possible to map many internal systems to a single WAN address, with uniqueness at the port level, and even many-to-many. And even better, these features can be used to define a wireless zone on an isolated port that requires IPsec.

The complexity of such features becomes manageable through the operating system's object-based management approach. Administrators can define objects for ranges of network addresses, users, groups, services and schedules, and apply policies to them. Policies, such as the NAT policies, are applied to these objects. Changes in the objects don't require changes in the policies.

Upgrades are available to the unit to enforce client-side antivirus use (with the McAfee client) and Web-content filtering. The device can be managed remotely by centralized IT or by managed service providers using SonicWall's Global Management System.

The PRO 2040 comes bundled with 10 VPN client licenses (it can support up to 100). The VPN itself has hardware-based IPsec acceleration, so it should be able to perform well up to the capacity of the WAN interface and still leave CPU capacity for administrative functions. The SonicWall VPN Client software is fairly easy to use. The server-side configuration is easier than some. A series of wizards (including a VPN wizard) that should make the whole process much simpler is coming in an upgrade to SonicOS.